Emails & More – CSA Summit 2018


Take-off & CSA Developments

By now a key event in the email marketing calendar, the CSA Summit 2018 took place for the (5th) time on 18-20 April, in the impressive setting of The Aircraft, an event location designed along the theme of an aeroplane, under the motto of “Emails & More”. The theme of flying was maintained throughout the event, with Julia Janssen-Holldiek, Director of the Certified Senders Alliance (CSA), explaining that, similar to frequent flyer rewards programs, frequent emailers can be rewarded with improved deliverability – a faster, safer, and more comfortable trip to inbox land – if they take care of the technical and legal best practices advocated by the CSA; with “miles” in this sense equating to “knowledge” gained during the Summit, which delegates can redeem when they return home. Further to the knowledge exchange, the CSA Summit 2018 was designed to allow as much opportunity for business networking as possible for delegates.

In keeping with the travel metaphor, the sponsors, who were each given a brief chance to introduce themselves, were categorized as Economy sponsors (dmarcian, emailsuccess, and postmastery), Business Class (MailerQ and port25), and First Class (250ok).

Janssen-Holldiek opened the event by welcoming delegates old and new, and providing an overview of the CSA’s activities and growth during 2017. The event itself this year played host to 19 different nationalities, up from the 12 nationalities in attendance in 2017 – a demonstration of the CSA’s increased activities in international communication and awareness-raising.

Janssen-Holldiek explained that everything the CSA does is related to their mission (“We create and enable quality standards for commercial emailing”). Both legal requirements and technical best practices are merged in the CSA admission criteria, which are updated regularly. The challenge, as she sees it, is to push standards in the market. Certified senders voluntarily submit to standards, through which they get better deliverability. The main aim for the CSA in 2017 was to grow the network and increase the number of certified senders.

In 2017 the CSA undertook 11 certifications of new senders and received 17 applications. During the year, the CSA received 250 requests for proposals, up from 163 the previous year – again signifying the awareness-raising work the team undertook in 2017. Janssen-Holldiek views the low conversion rate as a healthy situation – the CSA undertakes certification according to strict criteria, with a focus on quality standards, and there is no pressure exerted (for example, from shareholders) to compromise on quality to increase conversion.

In 2017, the team altered their processes for control of the CSA whitelist, implementing an automated compliance monitor which randomly checks newsletters of senders to replace the former manual process. The spamtrap alert service was also expanded in 2017, having gained more sources, and now spamtrap alerts are sent every 24 hours, to aid ESPs in their work with their customers. Communication of quality standards was also intensified, with the hiring of a new international agency to support activities in Spain, Italy, France, and Germany. The CSA website was also relaunched during the year, with lots of topics and a library of documentation, with everything available for download. Janssen-Holldiek called on delegates to let the CSA team know if there are any important topics missing which can be added during 2018. A further communication and educational initiative was the introduction of a new webinar, “GDPR for Email Senders” which companies can purchase in order to train whole teams, alongside webinars more tailored to the needs of the individual company.

In 2017 the eco Complaints Office continued its excellent work in dealing with end-user complaints, including complaints about spam. Janssen-Holldiek advised senders to view the Complaints Office work not as a source of difficulties, but as a form of legal consultation – to get a detailed analysis about what was wrong with an email and to get help becoming compliant with the forthcoming EU General Data Protection Regulation (GDPR).

Julia Janssen-Holldiek finished by mentioning the partners of the Certified Senders Alliance: including eco, the DDV (German Dialog Marketing Association), the BVDW (German Federal Association of the Digital Industry), and the DMVÖ (Dialog Marketing Association of Austria). A recent addition is – a partnership designed to support the business development of CSA-certified ESPs. ESPs can update their page on the portal, can be asked for an interview, and have the opportunity to publish a guest blog post. Another new collaboration is with the French association Signal Spam – the aim of the collaboration is, together with eco, to work more effectively in the fight against spam. In the new collaboration, a joint paper has recently been developed, specifically on how the French law will change as a result of the GDPR.

The ePrivacy Regulation – current status and the impact on electronic communication

Attorney and Chairman of the Board at eco – Association of the Internet Industry, Oliver Süme brought delegates at the CSA Summit 2018 on a guided tour to Data Protection Wonderland, with a stopover in Brussels, the heart of EU policy and lawmakers. Süme gave an overview of the EU ePrivacy Regulation currently being drafted and negotiated, and offered “six things you need to know” about the bill, the legislative process, and how companies can prepare for it.

What is the ePrivacy Regulation in the first place?

Firstly, Süme put the ePrivacy Regulation into the context of family relations: The legislation is basically the little sister of the EU General Data Protection Regulation (GDPR), conceived initially to come into effect simultaneously with, and aimed at being complementary to, its big sister. ePrivacy also has two cousins: the late Data Protection Directive (dead and buried and replaced by the GDPR) and what is known as the “Cookie” Directive (the first ePrivacy-related EU directive, now on its deathbed).

However, the ePrivacy Regulation has been experiencing a much longer gestation period than the GDPR. Issues relating to eprivacy have been subject to very controversial discussion between industries, industry associations, and policy makers – even more so than was the case for the GDPR. There is seen to be a need to protect the interests of the consumers, but also the interests of the industry. The regulation is designed to replace the “Cookie” Directive, and has the same approach as the GDPR in terms of territorial scope and application – which means that every company will be subject to the ePrivacy Regulation if they are processing personal data from European consumers, regardless of where in the world the company is based. The much-publicized regime of fines imposed by the GDPR will also apply to the ePrivacy Regulation, and its status as an EU regulation means that it is directly applicable, with no need for implementation laws in the different member states.

What does the ePrivacy Regulation cover?

The legislation is designed to have a broader scope than the old privacy directive, with a focus on the confidentiality of communications, irrespective of what kind of technology is used. The new regulation also covers electronic communication service providers – e.g. voice, messaging, and OTT services. The main aim of the regulation is to protect personally identifiable information (PII) – and as a result, it also covers Machine-to-Machine communication and metadata. Süme pointed out that this gives lawmakers a first opportunity to cover IoT devices, something which they want to have more control of in the future. He commented further that there are many stakeholders that are very concerned about this section of the law, because this has the potential to significantly slow down innovation in the IoT market.

Consent in the ePrivacy Regulation

In terms of consent, nothing changes with regard to classical email marketing; the regulation remains largely similar to the “Cookie” Directive. However, consent becomes the rule, with only limited exemptions from consent – in contrast to enabling communications to be based on legitimate interest as is the case in the GDPR. The ePrivacy Regulation considers everything as high risk, and will almost always require consent (exemptions given would include the use of a cookie in a shopping cart). According to Süme, this is a strong concern for online advertising and marketing as an industry. Süme pointed out that consent can be expressed by using appropriate browser settings, and the regulation requires browsers to have a range of settings and privacy categories to enable granular consent to be given.

Who devised the ePrivacy Regulation?

Oliver Süme went on to clarify law-making in the European Union in relation to the ePrivacy Regulation: There are three organizations responsible for law making. The EU Commission, after analyzing the situation, made the initial proposal. The first draft was published approximately 18 months ago. The draft then went to the European Parliament, which has to find a position on the legislation, and the Parliament published a second version of the draft. Then the draft was taken to the European Council (a very powerful body made up of representatives of the EU member states) – which is where the legislation currently stands. Once all three players have found their positions, they will go into the trialogue negotiations, which have a fundamental role in EU lawmaking.

Criticism of the ePrivacy Regulation

According to Süme, the ePrivacy Regulation is not complementary to the GDPR, it actually supersedes it. He criticizes the fact that there was no time to undertake an evaluation of the GDPR to identify potential gaps and figure out where potential rules are needed before the legislative process for the ePrivacy Regulation was set on course. He calls on the lawmakers to wait until we have gained initial experience with the GDPR before the ePrivacy Regulation is adopted.

Two points in particular were raised as criticism of the ePrivacy Regulation.

No risk-based approach to consent

Firstly, there is no risk-based approach to consent like in the GDPR. Consumers will constantly need to provide consent – which will lead to a situation where consumers cease to care about consent; they will not consider what they have consented to, and will not consider different levels of risk.

No technology-neutrality

Technology is changing very fast, with new services emerging continuously. The legal framework cannot change at the same pace. According to Süme, the EU lawmakers used a very good approach when they drafted the e-Commerce Directive, drafting it in a way that allows it to be technology-neutral. Legislation must be technology-neutral, because otherwise it is too easily invalidated with new technological developments and the associated obsolescense of older technologies. On this point, the draft ePrivacy Regulation specifies browser settings and how to design them, making it very product-centered; as Süme pointed out, the problem is that no-one knows whether browsers will still be relevant in 5-10 years’ time.

When will the ePrivacy Regulation arrive?

As a next step, the EU Council has to find a common position – this can take a long time, especially since so far the two most important States (Germany and France) have not given their positions – in this kind of situation, the smaller States also remain quiet. Süme hypothesized that the lengthy period in which Germany was without a new government has contributed to the country not having prepared a position on the legislation yet, but he surmised that perhaps now a position is being worked on. Given the delay in the Council, Süme predicted that the trialogue negotiations will not start before the summer break – perhaps not until September or October 2018. However, in 2019 there will be EU elections, and if the trialogue negotiations are not finalized by then, the process will start all over again with the new government. As a result, there is no need for companies to panic about the draft legislation – even if the regulation were to come into force in 2019, there will be a grace period of at least one year. However, everything is under discussion, and nothing is written in stone as yet. It will take time before the ePrivacy Regulation will come into effect.

GDPR 360: Practical Use Cases for Senders and Receivers

With so many branches of email marketing participating in the CSA Summit 2018, a panel discussion was organized with attorney and data protection specialist Dr. Jens Eckhardt and four representatives of the email marketing community: Magnus Eén from the brand Westwing, Kerstin Espey from the ISP HeLi NET Telekommunikation, Dr. Isabel Feys from the ESP Mailjet, and

Don Owens from the security provider Cisco Systems. The discussion was moderated by CSA attorney Rosa Hafezi, and looked at the impact of the GDPR for all players in emailing.

The discussion revolved around several topics, including definitions, the setting up of processes, the responsibilities of data controllers and third-party service providers, cross-border transfers, and data portability.

Dr. Jens Eckhardt presented “the Holy Trinity of the GDPR”: The three questions that need to be answered are:

  1. Is personal data concerned?
  2. What is the purpose of processing?
  3. What is the legal basis of this processing? – consent, or lawfulness on the basis of a balance of interests

Defining “personally identifiable information” 

What does “personally identifiable information” mean? This is something that companies need to understand, in order to know which data will be involved in GDPR compliance issues. Dr. Jens Eckhardt pointed out that although this is defined by law as “personal data” – and it does not matter whether the data is particularly sensitive or not – nobody is quite clear about what this should mean. He went on to say that the same problem exists in reverse with “anonymous data”: during the legislative process, the lawmakers were unable to develop a workable definition. Recital 26 provides some information – what Eckhardt considers to be “a definition to explain a definition”: Personal Data takes into account “all the means reasonably likely to be used to identify a person,” with “reasonably likely” further depending on the expense and technological developments at the time of the data processing. For Eckhardt, this means that no-one can be completely sure about whether data can be considered anonymous or not – in the end, he commented, there will be almost no anonymous data in a company.

Dr. Eckhardt pointed out that companies will not be able to have one standard process to delete data: there will be some data that needs to be retained – e.g. for tax purposes – meaning that data deletion will need to be largely manual.

The Responsibilities of Data Controllers

Rosa Hafezi posed the question to Magnus Eén of who is responsible for implementing GDPR – the brand or the ESP? In Eén’s opinion, this is mainly  the responsibility of the brand – the brand collects and owns the data, whereas the ESP only makes use of the data. On this point, Eckhardt argued that the brand is primarily, but not solely responsible: The ESP has its own duties, and the brand will hand over some duties to the ESP. This does not make it joint data-controllership, but it is important to work together. If a mistake is made, the ESP could also face legal action. When it comes to sanctions & fines, both may be charged, but primarily the brand. But nobody can take the attitude of “that’s not my problem”.

According to Magnus Eén, one main challenge was to track down who data is shared with to ensure that they are also behaving compliantly and in accordance with the data processing agreements. From the reverse perspective, as an email service provider that can act as said third party, Dr. Isabel Feys explained the opportunity that Mailjet saw in the GDPR to become an EU leader in email marketing by making compliance a competitive advantage. Her motto is “change before you have to.” Mailjet examined the impact of the GDPR on their business case: What does it mean from an IT perspective? How can the deletion of data be carried out in one push? One gray zone remaining concerns how long the data can and should be stored. A clear impact for the company has been that the legal team has doubled, and there is considerably more consulting being done to help customers understand compliance.

Cross-Border Transfers

Another gray zone that Dr. Isabel Feys raised was about transporting data across country borders. Dr. Jens Eckhardt made clear that data transfer to non-EU countries is a question of an “adequate level” of protection. This “adequate level” as defined by the EU Commission will stay in force after the GDPR. But more discussion will be required, at least when it comes to the US. In short, if you were allowed in the past to send your data to non-EU countries, then you will be allowed to in the future. The safest approach remains the EU model clauses and Binding Corporate Rules.

Data Portability

Speaking from the perspective of an ISP, Kerstin Espey commented that one big challenge she is still facing is data portability. It is a question of what personal data is, what kind of data is involved, and how to transfer this data to another controller. Dr. Jens Eckhardt clarified that data portability does not apply to all data – it is about data provided by the data subject to the controller. But there is no definition of “provide”, nor is there clarity concerning whether an end-user simply uploading something to a platform equates to “providing” data to the data controller.

Data portability has its genesis in mobile phone portability, and the concept is for the end-user to be able to take all personal data to another provider (Eckhardt gave the example of Facebook and photos and messages from the last 10 years). Data portability does not apply to the metadata of an order, for example. The question of which format the data should be in is also not defined; merely, that it should in a be machine-readable form. For Eckhardt, this is an advantage: It is not necessary to switch to a new system to provide data portability. Most important for ISPs is to simply implement a process by which data portability can be undertaken when a request comes from a client, even if the person responsible needs to go step by step to decide whether the request needs to be fulfilled or not.

An interesting reverse take on the privacy question

Don Owens turned the discussion of privacy on its head at the end of the panel session. As a security vendor, he explained, Cisco Systems collects data through spamtraps to analyze malicious behavior and create better forms of protection. But spam may be sent using, for example, hijacked or disused personal email addresses. This is potentially personally identifiable information that is being collected. Does data privacy or the right to be forgotten apply to security vendors? Can a malicious actor or a spammer – or the original owner of that hijacked email address – have the right to demand that security vendors delete their data? As Don Owens pointed out, “We don’t want to forget him. If we delete his data, we can’t block him anymore.” Further, security analysts need to share such data with other parties for the development of security applications. He went on to recount that after his initial panic at the legislation, he consulted with several lawyers, and subsequently calmed down considerably.

Dr. Eckhardt agreed that, yes, this is personal data, but that does not mean collecting it is necessarily prohibited. Going back to the Holy Trinity of the GDPR, what is important is to look at the purpose: security. There is a legitimate interest in collecting and storing this data, and the rule of the balance of interests takes precedence here. However, it is necessary to document that balancing process. In the end, it is important to have a process that can be shown to a Data Protection Authority (DPA). But it is unlikely that a security vendor will be required to delete such data: To take advantage of the rights of the data subject, the data subject needs a verified identification, and spammers and malicious actors will have trouble authenticating.

Everything you ever wanted to know about Branded Indicators for Message Identification (BIMI)

Branded Indicators for Message Identification (BIMI) is an industry standardization effort that brands and ESPs will love, according to Thede Loder, Chair of the Authindicators Working Group (BIMI) and Senior Director with Agari Data Inc. Brands will want to use BIMI, and ESPs will want to be able to support their customers to use it. The project is concerned with producing a set of technical specifications and ensuring the development of a desirable business ecosystem for the safe and ubiquitous use of brand logos as visual identities.

Currently, there is no dominant standard for the way images can be integrated into third-party applications. Logos are already incorporated into many apps, but BIMI takes a different approach: in mobile email applications, the BIMI logo is not in the body of the email, and is not part of the email message. It is basically a library of authenticated, certified, brand logos published through the DNS, that will only display in authentic emails from that brand. Furthermore, the logos are registered trademarks, meaning that the BIMI standard would help to protect brands from impersonation attacks associated with phishing, for example.

In a nutshell, Thede Loder explained that BIMI means that, rather than hoping application developers will use the correct logo in the correct format, brands can publish the right logo, which is then updated for all third-party apps. In a re-branding activity, previously, brands would need to go out and find every example of the old logo individually to have it changed to the new logo. In addition, while many platform providers curate their own libraries of logos, these can only deal with the biggest brands, as the cost of maintenance becomes prohibitive for the inclusion of smaller brands. BIMI is accessible to all brands, and levels up the playing field. Brands that the Authindicators Working Group (BIMI) have talked to say they want it.

Loder sees the benefits of BIMI for senders and brands as being:

  • Immediate brand recognition. BIMI will provide billions of impressions in third-party apps that they don’t get today.
  • Improved user experience
  • Ensuring the logo is current and consistent across platforms
  • Removal of the risks associated with searching for logos manually: that it is not current, not authentic, the wrong brand
  • Trustworthy high-quality logos

From the other side, Loder sees the benefits for messaging and application providers:

  • Standardization economics – does away with the need to curate own library of logos
  • Authentic logos self-published by brands – removes the legal risks from platform operators
  • BIMI will drive adoption of best sending practices and authentication


  • Costs involved for app provider to build and curate trustworthy and inclusive database of quality logos
  • Lack of adequate safeguards to prevent impersonation attacks
  • Uncertain risk of selecting trademarks (and being wrong) or being sued for using a logo without permission

According to Loder, BIMI removes these barriers by shifting costs for proof of ownership or for license to use to brands (enabling long tail coverage); by allowing smaller brands to actually be included; and by shifting platform provider risks to other players. BIMI can also accommodate changes based on court decisions, making it possible to quickly and easily update images and clarify ownership through the DNS record.

How it works – technically

For a Brand:

  • obtain a BIMI certification, through an auditing process
  • identify the logo file, publish it in the DNS as a BIMI-specified DNS TXT record for their domain

For a mailbox provider

  • receive message, verify authenticity, fetch DNS record, acquire location of logo and fetch it, check the certificate to see if it looks legitimate

Why BIMI will succeed

Loder is convinced that BIMI will succeed, because the creators are designing BIMI like a product that is meant to sell. This is being achieved by trying to make sure that all organizations have a benefit, which is important to make a complex ecosystem work. This ecosystem includes email service providers, marketing service providers, the PKI industry, certificate authorities, and email authentication providers.

BIMI is currently being trialed on Oath, and brands interested in participating can contact the working group.

Make Your Email Take Off By Following Best Practices

Steve Jones from LinkedIn and Carmen Piciorus from La Poste cautioned the CSA Summit delegates that before boarding a flight to destination Inboxland, it is necessary to get your baggage in order. They explored best practices for sending marketing emails from both the perspective of the sender (Jones) and the receiver (Piciorus).

Be compliant 

Carmen Piciorus encourages clean mailboxes, with no messages to be tagged as spam. The fewer customer complaints the better for ISPs. Steve Jones explains that they want to make sure that every message sent to someone is a message they want to receive. He recommends requiring Double Opt-In (DOI) and confirming addresses. It is also important to make sure that receivers expect to receive messages – and not to surprise them. Senders should provide opt-out for all email contact, and offer the users a way to access their settings. Piciorus added that an unsubscribe link is very important. She explained that users are not techies, so processes like unsubscribe need to be made easy.

Be clean

Piciorus explained that a lot of mailboxes that have been archived because of no login in the past four months become a trap for unwary senders. Senders should read bounce codes coming back from these, or from addresses that are blocked, or from full mail boxes and stop sending messages to those addresses. It is very important not to spend time, money, etc. re-sending those messages.

Steve pointed out that anything that makes the end user unhappy makes the receiver unhappy, which in turn slows down deliverability. He emphasized that senders should pay attention to feedback loops and bounces. These addresses can be flagged to reconfirm the address the next time they use the app or visit the website, for example. In addition to the bounces, Jones thinks it is good to track how interactive the user is, in order to gauge the relevance of messages being sent to each address.

Piciorus explained that they pay a lot of attention to the feedback loop. They have a limit rate, and when the limit is reached, IP reputation sinks, at least temporarily.

Be clear

Carmen Piciorus advised sender to always be clear, meaning using a different IP address for different functions. Steve agreed, recommending ideally the use of one single domain. Such consistency maximizes clarity. If it is necessary to use different domains, subdomains are the best option.

Furthermore, IP sending patterns should not lead to sudden peaks. Traffic control is important – that means functions to allow traffic to be smoothed out, so that there are not too many emails going out per day. When using an outside sender, warm up the IP by increasing volume slowly. It is good to start out with transactional emails, because they are less likely to get flagged by the receiver as spam, which helps to establish a good reputation for the new IP.

Jones also pointed out that different receivers have different tolerances, and it is important to respond as quickly as possible when a sender has exceeded the limit.

Be confirmed

Steve Jones advised that when it comes to confirmation, it’s all about making it as easy as possible for the receivers to identify you, to tie your identity to the messages you send, and make sure that the receiver can see that you are clearly a responsible sender following best practices. That means senders should use as many methods of authentication as possible, both IP-based, like SPF, or signature-based, like DKIM, or a protocol that brings all of these together, like DMARC – which in turn provides you with a reporting tool to improve practices.

Jones went on to say that, apart from it being important to keep the records clean and delete old addresses, DKIM keys need to be large enough (greater than 1K) and should be rotated at least once a year, and the sender needs to have somebody capable of analyzing DMARC reports and responding to what’s going on.

One issue in authentication is forwarding, because a forwarded message may fail the authentication regimes. Piciorus mentioned the problems ISPs have with the forwarding of an email that is part of a mailing list: In this situation, SPF can fail and the DKIM signature can break. This creates the situation where users complain that emails are not getting through. In her experience, implementing DMARC resolved 80% of these cases, and she is hoping to solve the remaining 20% with ARC.

Be prepared

Jones pointed out that receivers are dealing with enormous volumes of messages, and they need simple ways of determining good from bad. Authentication gives them that, and allows them to make a faster evaluation – leading to the famous Google Gmail statement “no authentication, no entry”. Therefore, using authentication will allow you to be treated well by the receivers, and to get your messages delivered fast and reliably. Without authentication, the receivers need to spend more time evaluating, and deliverability will be slowed down.

However, he explained that the issue with forwarding emails meant that the Google “no authentication, no entry” had to be put on hold. The ARC protocol for forwarding is currently going through the IETF, and Steve hopes it is quite close to a last call.

Jones forecasts that the need for authentication is only going to get stronger as receivers get stricter, whether they use the “no authentication, no entry” slogan or not.

Piciorus described elements of the La Poste enforcement policy: If SPF authentication fails multiple times, then the IP will be tagged “suspect” and then will be temporarily blocked. If the message fails the DKIM control, it goes to spam. Messages should also be signed with the sending domain. The next step for La Poste is that they are considering implementing ARC.

Be transparent

Carmen Piciorus continued to say that La Poste monitors incoming traffic to check if the domain returns an IP and that it has an A or an MX entry. Steve Jones highlighted the importance of implementing DNSSEC. Authentication raises the bar that the bad actors need to get over in order to get their messages through. As well as this, TLS should not only be implemented, but also tracked – TLS 1.3 is on the horizon.

Hyper Relevant And Rich Mail Experiences Bound To Take Off

At the final session of the day at the CSA Summit 2018, Marcel Becker from Oath and Christian Hanke from Edenspiekermann looked at the changing email landscape and how to provide a much better user experience for end users. The way customers are using email is changing: Email is being consumed outside of the traditional email canvas. Email needs to stay relevant, offering new display experiences, integrating voice, and offering new services.

One example Becker gave of a new feature is extracting relevant content (e.g. coupons) and showing it to the user when it is needed (e.g. based on location or date), rather than having it simply stored by the date on which it was received. Consumers want a product similar to a concierge – one that actually knows you and provides what Hanke described as “micro services”, becoming an active part in the user journey.

Becker took aim at the assumption that email is dying, and showed that, rather, email is changing context: 90% of all email is non-conversational, being used by brands to talk to their customers. 91% percent of Americans prefer email for e-commerce communication. Personalized e-commerce emails are six times more likely to be clicked.

However, as Becker pointed out, spamming just won’t work. The ISPs are protecting their customers from the junk being sent out, and if you are sending such junk, your reputation will suffer. Not only the relevance, but also the frequency of commercial emails is important: Companies that continue undeterred with daily emailing have seen a 52% decline in revenues.

Yes, Becker acknowledged, there have been some minor attempts at segmentation – kind of half/half batching – but the emails are often not really personalized. Hanke argued that email should stop being the weak spot in the brand experience – and should become exciting again for brands.

End customers, in Becker’s opinion, want to be treated like first-class customers. Hanke agrees: Brands are starting to understand the importance of a relationship with end users – the need for empathy for the user is now sinking in. Brands need to understand intent and get a granular understanding of customers. They are really beginning to take responsibility for the digital products and experiences they are offering. Communications need to be based on understanding the customer, according to Becker, and email is just one channel in how brands deal with customers. Hanke believes the switch between channels needs to be seamless.

Becker asked how we can optimize the way we reach out to our customers. He pointed out that it is easy to understand intent with the “hand raisers” (e.g. through search), but not so easy if customers do not tell you what they want. He pointed out that receivers have a pool of data they can tap into to understand intent better – for example, knowing that the end user has booked a flight to New York means that offers for that time in New York would become relevant for that specific end user. Hanke agreed, but warned that brands care is needed in the design of such a system to avoid what he termed as “creepiness”. As a brand, there is increasingly a responsibility for interruptions or disturbances in the day-to-day usage of users. The type of content and topics need to be appropriate to the situation.

Becker went on to say that the consumer is willing for the receiver to use the data for something meaningful – relevant, and not outdated – but the challenge is how to implement such a system – especially with data protection concerns raised by the GDPR, etc. Customers want to be treated as if receivers understand what they want. This means in turn that brands should also not offer things customers don’t want. There should be no more targeting of segments, but rather direct targeting of individuals.

Becker asked whether we are ready for this new approach. We can experiment, and try to set things up, but from a receiver perspective, it is important to avoid annoying users. Hanke sees great potential to connect with consumers through different micro services. With the rise of voice, there was the assumption that brands would see email as less important, but the reverse has been true. He sees huge opportunities with the new possibilities of email and an effortless way to connect with consumers for brands. But he warned that there is so much work to do to change the perception of brands in users’ inboxes.

Becker argued that ESPs think in established silos, which hinders us in getting to the next level, to help our customers and create new products. Not everything can be solved by just the ISP, or just the brand of marketing agency. The set of different players in the email marketing value chain are flying the plane together, and function as the gopher between the brand and the consumer. At the end of the day, what we all want is to get our mutual customer to do something – and if you do it right, the customer is happy to get out their credit card, the brand is happy, the receiver can maybe help the customer save some money with a coupon, there is increased engagement – so everyone’s happy.